mystic | cc5e37d73955fc0316a074c4b20f0296dee40952f8d275b2c6c6eb4eb0947059

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exe
Size

648KB
MD5

c12139634f017d2d2c93952feebda554
SHA1

34d49019576082964f1d79b2cb8fa2f1298f1c29
SHA256

e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a
SHA512

85480633f93547b3ac6bf0b0971b42d41ef30bc4fda2eb1f91b8459e371d7705008fe168f63ba8eb11c5ce61cff484faa6200b823022183c39c10bbbf148b38f
SSDEEP

12288:6Mr/y90MJQl5BK7ra5tpf0e7FlSBhobizWQG+UhZ+wGBEAb9ot02QH4xk:NyWl5BMa5/tRitiQG+UhQvEAGtDgd

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

mystic

http://5.42.92.211/

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral18/memory/2788-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral18/memory/2788-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral18/memory/2788-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral18/memory/2788-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2jw288EV.exe	family_redline
behavioral18/memory/2600-22-0x0000000000510000-0x000000000054E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Jm5AD1vQ.exe1OF70sw1.exe2jw288EV.exe

pid process

412 Jm5AD1vQ.exe
2964 1OF70sw1.exe
2600 2jw288EV.exe

pid	process
412	Jm5AD1vQ.exe
2964	1OF70sw1.exe
2600	2jw288EV.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exeJm5AD1vQ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Jm5AD1vQ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1OF70sw1.exe

description pid process target process

PID 2964 set thread context of 2788 2964 1OF70sw1.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2724 2964 WerFault.exe 1OF70sw1.exe
3764 2788 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 2964 set thread context of 2788	2964	1OF70sw1.exe	AppLaunch.exe

pid	pid_target	process	target process
2724	2964	WerFault.exe	1OF70sw1.exe
3764	2788	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exeJm5AD1vQ.exe1OF70sw1.exe

description	pid	process	target process
PID 3936 wrote to memory of 412	3936	e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exe	Jm5AD1vQ.exe
PID 3936 wrote to memory of 412	3936	e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exe	Jm5AD1vQ.exe
PID 3936 wrote to memory of 412	3936	e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exe	Jm5AD1vQ.exe
PID 412 wrote to memory of 2964	412	Jm5AD1vQ.exe	1OF70sw1.exe
PID 412 wrote to memory of 2964	412	Jm5AD1vQ.exe	1OF70sw1.exe
PID 412 wrote to memory of 2964	412	Jm5AD1vQ.exe	1OF70sw1.exe
PID 2964 wrote to memory of 2788	2964	1OF70sw1.exe	AppLaunch.exe
PID 2964 wrote to memory of 2788	2964	1OF70sw1.exe	AppLaunch.exe
PID 2964 wrote to memory of 2788	2964	1OF70sw1.exe	AppLaunch.exe
PID 2964 wrote to memory of 2788	2964	1OF70sw1.exe	AppLaunch.exe
PID 2964 wrote to memory of 2788	2964	1OF70sw1.exe	AppLaunch.exe
PID 2964 wrote to memory of 2788	2964	1OF70sw1.exe	AppLaunch.exe
PID 2964 wrote to memory of 2788	2964	1OF70sw1.exe	AppLaunch.exe
PID 2964 wrote to memory of 2788	2964	1OF70sw1.exe	AppLaunch.exe
PID 2964 wrote to memory of 2788	2964	1OF70sw1.exe	AppLaunch.exe
PID 2964 wrote to memory of 2788	2964	1OF70sw1.exe	AppLaunch.exe
PID 412 wrote to memory of 2600	412	Jm5AD1vQ.exe	2jw288EV.exe
PID 412 wrote to memory of 2600	412	Jm5AD1vQ.exe	2jw288EV.exe
PID 412 wrote to memory of 2600	412	Jm5AD1vQ.exe	2jw288EV.exe

C:\Users\Admin\AppData\Local\Temp\e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exe
"C:\Users\Admin\AppData\Local\Temp\e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jm5AD1vQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jm5AD1vQ.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1OF70sw1.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1OF70sw1.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 548
5⤵
- Program crash
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 600
4⤵
- Program crash
PID:2724

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2jw288EV.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2jw288EV.exe
3⤵
- Executes dropped EXE
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2788 -ip 2788
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2964 -ip 2964
1⤵
PID:748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jm5AD1vQ.exe
Filesize
452KB

MD5
bca9c7b71ead7fdeac218edf4f3fab4f

SHA1
8209879f1df23e99506acb591142cc2ef2d07bc3

SHA256
43916853307921a44b9bcbefcc2890ade99cddc949bd548070f7bdf60832f48c

SHA512
fd6a8ca472d2a69a6a5bb83fad33fa672ba2aaf75710e471042566337ea31abd0b5f31257bf9ee954c58962a37bcb40245a669e48dd9d3f8b2dc235213277196

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1OF70sw1.exe
Filesize
449KB

MD5
46c07b6d1b3acddad8d1950c6bd97e3e

SHA1
b6d22845e2970215807bcaaf0fbd214d6dc03823

SHA256
05a3779eb239d2829b65153440efeb694599a2847cd1944932450db46be8b0de

SHA512
f7b619451892c0274749f7732e0427048b04423602d13fb59bfb6b88e1797e1ed8fefebe7bcdf968a7927ab46b219f318742401c64c1d00b12276cf8c9b7d101

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2jw288EV.exe
Filesize
221KB

MD5
091ca9376b4690e7926da147c97b54d9

SHA1
3123d1df94c0e9c29f07ddbf4d5e8833b9eef48e

SHA256
8a05206e08291da87e64198c77450883d1953a5350a30c09699e115f8d07feaa

SHA512
65258bb587ae16cd2b90d029e67f2652538cac5c5f6e52e59f74e7845bcbc9b85f15fefd2fe97e490989472004cbf751482c06d8a93ee3ba7bdcf0b958c21aa6

Download Submit
memory/2600-27-0x0000000007670000-0x000000000777A000-memory.dmp

Filesize
1.0MB

Download
memory/2600-22-0x0000000000510000-0x000000000054E000-memory.dmp

Filesize
248KB

Download
memory/2600-23-0x00000000077F0000-0x0000000007D94000-memory.dmp

Filesize
5.6MB

Download
memory/2600-24-0x00000000072E0000-0x0000000007372000-memory.dmp

Filesize
584KB

Download
memory/2600-25-0x0000000002710000-0x000000000271A000-memory.dmp

Filesize
40KB

Download
memory/2600-26-0x00000000083C0000-0x00000000089D8000-memory.dmp

Filesize
6.1MB

Download
memory/2600-28-0x00000000074C0000-0x00000000074D2000-memory.dmp

Filesize
72KB

Download
memory/2600-29-0x0000000007560000-0x000000000759C000-memory.dmp

Filesize
240KB

Download
memory/2600-30-0x00000000074F0000-0x000000000753C000-memory.dmp

Filesize
304KB

Download
memory/2788-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download